1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 // Copyright (C) 2003-2013 Sourcefire, Inc.
4 //
5 // This program is free software; you can redistribute it and/or modify it
6 // under the terms of the GNU General Public License Version 2 as published
7 // by the Free Software Foundation.  You may not use, modify or distribute
8 // this program under any other version of the GNU General Public License.
9 //
10 // This program is distributed in the hope that it will be useful, but
11 // WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
13 // General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License along
16 // with this program; if not, write to the Free Software Foundation, Inc.,
17 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
18 //--------------------------------------------------------------------------
19 
20 #ifdef HAVE_CONFIG_H
21 #include "config.h"
22 #endif
23 
24 #include "detection_filter.h"
25 
26 #include "hash/xhash.h"
27 #include "log/messages.h"
28 #include "main/thread.h"
29 #include "utils/util.h"
30 
31 #include "sfthd.h"
32 
33 using namespace snort;
34 
35 static THREAD_LOCAL XHash* detection_filter_hash = nullptr;
36 
DetectionFilterConfigNew()37 DetectionFilterConfig* DetectionFilterConfigNew()
38 {
39     DetectionFilterConfig* df =
40         (DetectionFilterConfig*)snort_calloc(sizeof(DetectionFilterConfig));
41 
42     df->memcap = 1024 * 1024;
43     df->enabled = 1;
44 
45     return df;
46 }
47 
DetectionFilterConfigFree(DetectionFilterConfig * config)48 void DetectionFilterConfigFree(DetectionFilterConfig* config)
49 {
50     if (config == nullptr)
51         return;
52 
53     snort_free(config);
54 }
55 
detection_filter_test(void * pv,const SfIp * sip,const SfIp * dip,long curtime)56 int detection_filter_test(void* pv, const SfIp* sip, const SfIp* dip, long curtime)
57 {
58     if (pv == nullptr)
59         return 0;
60 
61     return sfthd_test_rule(detection_filter_hash, (THD_NODE*)pv,
62         sip, dip, curtime, get_ips_policy()->policy_id);
63 }
64 
detection_filter_create(DetectionFilterConfig * df_config,THDX_STRUCT * thdx)65 THD_NODE* detection_filter_create(DetectionFilterConfig* df_config, THDX_STRUCT* thdx)
66 {
67     if (df_config == nullptr)
68         return nullptr;
69 
70     if (!df_config->enabled)
71         return nullptr;
72 
73     df_config->count++;
74 
75     return sfthd_create_rule_threshold(df_config->count, thdx->tracking,
76         thdx->type, thdx->count, thdx->seconds);
77 }
78 
detection_filter_init(DetectionFilterConfig * df_config)79 void detection_filter_init(DetectionFilterConfig* df_config)
80 {
81     if ( !df_config->enabled )
82         return;
83 
84     if ( !detection_filter_hash )
85         detection_filter_hash = sfthd_local_new(df_config->memcap);
86 }
87 
detection_filter_term()88 void detection_filter_term()
89 {
90     if ( !detection_filter_hash )
91         return;
92 
93     delete detection_filter_hash;
94     detection_filter_hash = nullptr;
95 }
96 
97